Virus-proof ACL does not Take Effect Because of Problematic Configuration at MA5200

Publication Date: 2012-07-27Views: 120Downloads: 0

Issue Description

MA5200F uses global ACL to disable some virus interfaces, but it is found that the users accessed through interface-2 receive virus attacks from the ports disabled by ACL.

Alarm Information

Null

Handling Process

1. Capture packets at the client of user, and it is found that a great deal of attacks from port 135 are received, although MA5200F has denied the port. 2. Only the users at the port-2 are influenced, and those at other ports not. Move the IP address used by port-2 to the other ports; no attack packets are received, ironing out that users attack the IP. 3. Check the configurations of users, and it is found that virus-proof acl 3001 is flooded globally, but the port-2 is configured with acl 3002. 4. The port-2 is configured with ACL, so the virus-proof ACL should be referenced into it, solving the problem. The original configruations:#acl number 3001 rule 1 net-user deny tcp destination-port eq 135 acl number 3002 rule 1 net-user permit ip source 2××.1××.196.61 0 destination 1 ……# access-group 3002 Ethernet 2 access-group 3001Configurations after correction: #acl number 3001 rule 1 net-user deny tcp destination-port eq 135 acl number 3002 rule 1 net-user permit ip source 2××.1××.196.61 0 destination 1 rule 2 net-user deny tcp destination-port eq 135 ……# access-group 3002 Ethernet 2 access-group 3001

Root Cause

The ACL is applied to both ports and global at MA5200, and the system will match the ACL at the interface first. Even if no rule is matched, the interface has a default available. So the global ACL is not valid for packets at the interface. For this reason, the users under interface-2 could still receive the virus packets disabled by global ACL.

Suggestions

If both global and interface ACL are configured at the same time, and the global ACL is required to take effect at the interface, it needs to configure the global rule to ACL for inteface. It is suggested to configure ACL globally.